Hi
While enabling the xpack in elasticsearch 7.17, we are facing the below issue
ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: IOException[parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)]; nested: IOException[ObjectIdentifier() -- data isn't an object ID (tag = 48)];
Please check & help us on this
Hi @navaneethan,
Can you share your configuration?
Below is my elasticsearch.yml conf file
cluster.name: cluster1
node.name: cf3
node.roles: [ data,master ]
network.host: 0.0.0.0
http.port: 9106
transport.port: 9116
path.logs: /u01/elasticsearch_7.17.15/logs/${cluster.name}/${node.name}
path.data: /u01/elasticsearch_7.17.15/data/${cluster.name}/${node.name}
bootstrap.memory_lock: true
discovery.seed_providers: file
cluster.initial_master_nodes: cf1, cf2, cf3
action.destructive_requires_name: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
below are the steps i followed in my 7.17 cluster
in home path
bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
add the below in each node
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
updated the yml params
restarted the Elasticsearch nodes
Can you try running
keytool -list -keystore /path/to/certs/elastic-certificates.p12
(You'll need to replace /path/to/ with the correct path to your certificate file)
I expect that to give a similar error to the one Elasticsearch is logging, in which case we can infer that the problem is with your PKCS#12 file (and we'll need to work out why)
Hi @TimV
We are getting the below result after running the above
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
ca, Mar 4, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): C3:D3:D9:00:2E:F1:F6:D2:09:EB:0A:D3:09:D2:13:3C:30:78:D5:6C:CE:40:9F:CC:57:D2:B1:B8:72:75:33:04
instance, Mar 4, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): ED:FB:32:53:B6:46:10:E9:26:AE:47:13:20:DC:BF:50:8F:AA:F0:48:75:16:C3:24:F3:07:2B:BB:1B:FF:C8:ED
Are you seeing the same error on all nodes?
Please post the full stack trace from the logs so we can try to work out exactly where the problem is happening.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.